View
3
Download
0
Category
Preview:
Citation preview
1
©2014 Foley & Lardner LLP • Attorney Advertising • Prior results do not guarantee a similar outcome • Models used are not clients but may be representative of clients • 321 N. Clark Street, Suite 2800, Chicago, IL 60654 • 312.832.4500 1
October 7, 2014
Data BreachPrevention andResponse
©2014 Foley & Lardner LLP
Introductions
Chanley HowellPartner, Technology Transactions &Outsourcing
Foley & Lardner
chowell@foley.com
(904) 359-8745 | office
Peter SanbornAssociate, Technology Transactions &Outsourcing
Foley & Lardner
psanborn@foley.com
(617) 502-3367 | office
Kate Bolland EshghiVice President, General Counsel
UMassMemorial Health Care
katharine.eshghi@umassmemorial.org
(508) 334-1700 | office
Leeann HabteSenior Counsel, Health Care IndustryTeam
Foley & Lardner
lhabte@foley.com
(213) 972-4679 | office
2
2
©2014 Foley & Lardner LLP
Agenda
I. Overview− Nature of the Risk
− Types and Sources of Risk
− Stakeholders
II. Phase 1: Preparation, Planning and Day-to-Day− Assessing the Data
− Assessing Risk Tolerance
− Mitigating the Risk
− Health Checkups
− Plan for Milestones
III. Phase 2: Post Breach− Assess Data
− Activate Team
− Take Action3
©2014 Foley & Lardner LLP
Overview
4
3
©2014 Foley & Lardner LLP
Top Settlements for Breaches of PHI
■ Settlements in Past 12 Months
− 6/2014 – health care system paid $800,000 insettlement of medical records dumping case to theOffice for Civil Rights (OCR)
− 5/2014 - $4.8 million paid by two providers to OCR forfailure to secure ePHI on their network
− 4/2014 – two entities paid $2 million collectively toOCR related to thefts of unencrypted stolen laptops andother mobile devices
− 3/2014 – health care provider paid $4 million insettlement of class action related to security breach bycontractor
5
©2014 Foley & Lardner LLP
Top Settlements for Breaches of PHI
■ Settlements in Past 12 Months (cont.)
− 2/2014 – health care provider paid $3 million insettlement of class action related to theft ofunencrypted laptops
− 11/2013 – health plan paid just over $1.2 million insettlement with OCR when photocopier containingPHI was compromised
6
4
©2014 Foley & Lardner LLP
Types of Breaches
■ “My data falls into the wrong hands”
− Inadvertently or maliciously accessed, disclosed orused inappropriately by employee or third party
− Stolen by hacker
− Lost or stolen, and we don’t know who has it (ifanyone)
− Looks like it was lost or stolen (even if it wasn’t)
7
©2014 Foley & Lardner LLP
Types & Sources of Risk
■ Types
− Legal/compliance/regulatory: Breaking a law (federal,state, international, HIPAA, etc.)
− Financial: Loss of revenue; Damages; Penalties/fines,litigation
− Reputational: Damage to customer relationships; Lostrevenue; “Bad Press”
− Security: Theft of valuable data; Holes in IT systemsexposed
− Operational/Clinical: Loss, destruction or compromiseto integrity of data
8
5
©2014 Foley & Lardner LLP
Types & Sources of Risk (cont.)
■ Sources
− Technical vs. Human: Firewalls vs. Phishing vs.Human Error or Wrongdoing
− Roles of vendors/third parties (and their contractors)
9
©2014 Foley & Lardner LLP
Stakeholders
− Legal
− Compliance/Audit/Risk Management
− Security Teams
− Regulators
− Executives
− Board of Directors
− Physicians and otherCare Providers
− Customers
− BusinessTeams/Sales Teams
− Vendors
− General Public
− Investors/Partners
− Others?
10
■ Who is or should be concerned about the risk?
6
©2014 Foley & Lardner LLP
Lifecycle of Risk Mitigation
■ Two Phases:
− Preparation, Planning and Day-to-Day
− Post-Breach
11
©2014 Foley & Lardner LLP
Phase 1: Preparation, Planning andDay-to-Day
12
7
©2014 Foley & Lardner LLP
Start With The Data
■ Questions to Ask:
− What is the data?
− How sensitive is thedata?
− How much data isthere?
− Where is the data?
− Who has access to thedata?
− What is the purpose ofthe data?
■ Types of Data:
− PHI
− PII
− Proprietary Information(“Secret Sauce”)
− Other Party’s data
13
©2014 Foley & Lardner LLP
Assess Your Risk Tolerance
■ Whose opinion matters and why
■ Educated risk assessment
■ Varied views: legal vs. business vs. others
■ Role of “price” in the risk tolerance analysis
− Are you willing to pay more to reduce your risk?
■ Role of business/operational needs
− 100% secure data = useless data
14
8
©2014 Foley & Lardner LLP
Put the Right Practices in Place
■ Invest in robustprivacy/securityprogram
■ Education
■ Policies
■ Encryption− BYOD
■ Enforcement− Audit
− Reporting
− Discipline
■ CyberliabilityInsurance
■ Breach Response Plan− Team
− Protocols
©2014 Foley & Lardner LLP
Assess Your Vendor’s RiskTolerance/Preparedness
■ This step is often overlooked
■ Want to match tolerance levels
■ What to watch for
− Companies that need to land the deal
− Companies that are new to the space
− Companies that agree to security/privacy provisionswithout markups
− Companies that do not have privacy/securityprofessionals
16
9
©2014 Foley & Lardner LLP
Assess Your Vendor’s RiskTolerance/Preparedness (cont.)
■ No vendor is too small
− The case of the Chinese menu
− The case of Target’s HVAC vendor
■ With whom is the Vendor subcontracting?
17
©2014 Foley & Lardner LLP
Put the Right Paper in Place:Contracting Tips
■ Key contract provisions to include whensensitive data is involved
■ Important supplemental agreements/exhibits:BAAs, Security exhibits, etc.
■ Getting the right eyes on the contract: Whoneeds to review and approve language?
18
10
©2014 Foley & Lardner LLP
Put the Right Practices withVendors in Place
■ Good paper does not replace good practices
■ Diligence and Security Audits
■ Have a data breach response plan in placebeforehand
■ Insurance (yours & theirs)
■ Ongoing “Health Checkups”
− Educate and review security policies and procedures
− Use audit provisions
− Get to know vendor security teams
19
©2014 Foley & Lardner LLP
Plan for Vendor RelationshipMilestones
■ Launch of a new service, system, functionality
■ Use contract renewals as a checkpoint
■ Changes to data (type, amount, flow)
■ Regulatory updates
■ Internal business owners
20
11
©2014 Foley & Lardner LLP
Phase 2: Post Breach
21
©2014 Foley & Lardner LLP
Look at the Data
■ Is the breach ongoing?
■ What kind of data is involved?
■ Whose data is it?
■ How much data is involved?
■ How sensitive is the data?
■ Who has the data?
■ Who was responsible for the data?
■ Is it completely lost? Is it retrievable?
22
12
©2014 Foley & Lardner LLP
Taking Action
■ Role of Core Values:
− Transparency vs. liability?
■ Making Decisions with Partial Information
− Risks of delayed response vs. risk of acting onbad/incomplete information
23
©2014 Foley & Lardner LLP
Activate Your Team
■ Who needs to be at the table and why?
− Breach response team Remediation
Investigation
Notification
■ Who are stakeholders that aren’t at the table?
24
13
©2014 Foley & Lardner LLP
Responding to a Breach
■ Immediate and long term response
− Is risk ongoing
− Notify cyber liability carrier
− Litigation hold/preserve evidence
− Legal requirements Notice individuals and regulators
− Law enforcement?
− Root cause analysis
− Risk mitigation
− Reputation
©2014 Foley & Lardner LLP
Unpacking the Risks Arising froma Breach
■ Security: Is the threat over? Have we fixed thesource of the problem?
■ Legal/compliance/regulatory: Did we breach alaw?
■ Financial: Are we liable to third parties? Are wesubject to fines? Will this impact revenue?
■ Reputational: How will this impact theorganization’s reputation among stakeholders?
26
14
©2014 Foley & Lardner LLP
Data Breach Incident ResponseBusiness Process
©2014 Foley & Lardner LLP
Multiple Sources of NotificationRequirements
■ Considerations
− Statutory/Regulatory Requirements HIPAA
State laws re: Personally Identifiable Information
State laws re: breaches of medical information
− Contractual Notification Requirements CMS Data Use Agreements
Medicaid Managed Care Contracts
28
15
©2014 Foley & Lardner LLP
Complexities re: BreachesInvolving Third Party
■ Establishment of process/liability viacontract/Business Associate Agreement?
− Determination of breach
− Attribution of fault for breach
− Responsibility for notification
− Right to review and approve notice
− Right to approve communication to media
− Payment for costs of notification (direct costs, creditmonitoring, public relations, attorney fees)/Indemnification (HIPAA and state law)/Insurance
− Requirements regarding notification/assistance withlitigation
29
©2014 Foley & Lardner LLP
OCR Investigations
■ Reports of breaches of 500+ will result ininvestigation
■ First step is response to request for data fromOCR
■ Based on response, scope of investigation canexpand
■ Covered Entity/Business Associate is liable forany non-compliance uncovered
30
16
©2014 Foley & Lardner LLP
Dealing with OCR
■ Address all requests – responses should belimited to issues identified by OCR.
■ Consider OCR’s audit criteria - to target entity’sresponse, if feasible.
■ Respond timely or request extension.
■ Cooperate!
■ Highlight prompt corrective actions to addresscause of breach.
31
©2014 Foley & Lardner LLP
Questions
32
Chanley HowellPartner, Technology Transactions &Outsourcing
Foley & Lardner
chowell@foley.com
(904) 359-8745 | office
Peter SanbornAssociate, Technology Transactions &Outsourcing
Foley & Lardner
psanborn@foley.com
(617) 502-3367 | office
Kate Bolland EshghiVice President, General Counsel
UMassMemorial Health Care
katharine.eshghi@umassmemorial.org
(508) 334-1700 | office
Leeann HabteSenior Counsel, Health Care IndustryTeam
Foley & Lardner
lhabte@foley.com
(213) 972-4679 | office
17
©2014 Foley & Lardner LLP
Thank You
■ Thank you for joining us today
■ For more information on this topic, register toattend the 2014 FOLEYTech Summit, October14 in Boston, MA – www.foley.com/events
33
Recommended